aws-sdk-eks 1.158.0 → 1.159.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: eaf4cad383d20035c9759b6e53d0808bbedb712014908c979fe5990337ebe818
-  data.tar.gz: da6d7b0fae212666e30af5dbaca9f96c9dcf243620421b81c4d93b7460bdd5e9
+  metadata.gz: 8e734c8b87223ad327b6cff86b52567ca43d1fbf3221789b9f6e4b7497c23ec6
+  data.tar.gz: f650ff968a4b8a101fbc5e3cb22445db2585604ab2df5b52e4c782dd05b95e54
 SHA512:
-  metadata.gz: 5cdd36315ce36e5a3f6824f0798280d53bde14ac2b70660ac332675b8ed9a46a4071591c934b961723f39ca92df08208f144f6ec01df80c92713c769d04bbdf0
-  data.tar.gz: e9076d5c0821d817389eaaea2917da72a5dc7f5eb1eaa4960f1fa4dbf86e59aa5f33b19557b9f12de868ffa64a50deb66955796a5e15ca78f222649f78e8ec4d
+  metadata.gz: 998fe97748cfe592ba32c7dd13a90d289eb8c061b23c870fe54f53cc13f78f2ad8ac60366126665dd5705e6092dc80ed357bf176e3a4b51ee010506de5b5cd50
+  data.tar.gz: a0f4df52ef6a6139fe5c58bc9edcfe55c43ec83e304d842bcdc0f1370f0913d5884f9f91d0f4a617c293ce93536297fef1634a721882191e1d51cf5fc5f76eb6

data/CHANGELOG.md

@@ -1,6 +1,11 @@
 Unreleased Changes
 ------------------
 
+1.159.0 (2026-02-10)
+------------------
+
+* Feature - Introducing an optional policy field, an IAM policy applied to pod identity associations in addition to IAM role policies. When specified, pod permissions are the intersection of IAM role policies and the policy field, ensuring the principle of least privilege.
+
 1.158.0 (2026-02-09)
 ------------------
 

data/VERSION

@@ -1 +1 @@
-1.158.0
+1.159.0

data/lib/aws-sdk-eks/client.rb

@@ -2332,6 +2332,25 @@ module Aws::EKS
     #   allowing your Pods to securely access resources like S3 buckets in the
     #   target account.
     #
+    # @option params [String] :policy
+    #   An optional IAM policy in JSON format (as an escaped string) that
+    #   applies additional restrictions to this pod identity association
+    #   beyond the IAM policies attached to the IAM role. This policy is
+    #   applied as the intersection of the role's policies and this policy,
+    #   allowing you to reduce the permissions that applications in the pods
+    #   can use. Use this policy to enforce least privilege access while still
+    #   leveraging a shared IAM role across multiple applications.
+    #
+    #   **Important considerations**
+    #
+    #   * **Session tags:** When using this policy, `disableSessionTags` must
+    #     be set to `true`.
+    #
+    #   * **Target role permissions:** If you specify both a `TargetRoleArn`
+    #     and a policy, the policy restrictions apply only to the target
+    #     role's permissions, not to the initial role used for assuming the
+    #     target role.
+    #
     # @return [Types::CreatePodIdentityAssociationResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::CreatePodIdentityAssociationResponse#association #association} => Types::PodIdentityAssociation
@@ -2349,6 +2368,7 @@ module Aws::EKS
     #     },
     #     disable_session_tags: false,
     #     target_role_arn: "String",
+    #     policy: "String",
     #   })
     #
     # @example Response structure
@@ -2367,6 +2387,7 @@ module Aws::EKS
     #   resp.association.disable_session_tags #=> Boolean
     #   resp.association.target_role_arn #=> String
     #   resp.association.external_id #=> String
+    #   resp.association.policy #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/eks-2017-11-01/CreatePodIdentityAssociation AWS API Documentation
     #
@@ -2900,6 +2921,7 @@ module Aws::EKS
     #   resp.association.disable_session_tags #=> Boolean
     #   resp.association.target_role_arn #=> String
     #   resp.association.external_id #=> String
+    #   resp.association.policy #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/eks-2017-11-01/DeletePodIdentityAssociation AWS API Documentation
     #
@@ -3932,6 +3954,7 @@ module Aws::EKS
     #   resp.association.disable_session_tags #=> Boolean
     #   resp.association.target_role_arn #=> String
     #   resp.association.external_id #=> String
+    #   resp.association.policy #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/eks-2017-11-01/DescribePodIdentityAssociation AWS API Documentation
     #
@@ -6296,6 +6319,25 @@ module Aws::EKS
     #   allowing your Pods to securely access resources like S3 buckets in the
     #   target account.
     #
+    # @option params [String] :policy
+    #   An optional IAM policy in JSON format (as an escaped string) that
+    #   applies additional restrictions to this pod identity association
+    #   beyond the IAM policies attached to the IAM role. This policy is
+    #   applied as the intersection of the role's policies and this policy,
+    #   allowing you to reduce the permissions that applications in the pods
+    #   can use. Use this policy to enforce least privilege access while still
+    #   leveraging a shared IAM role across multiple applications.
+    #
+    #   **Important considerations**
+    #
+    #   * **Session tags:** When using this policy, `disableSessionTags` must
+    #     be set to `true`.
+    #
+    #   * **Target role permissions:** If you specify both a `TargetRoleArn`
+    #     and a policy, the policy restrictions apply only to the target
+    #     role's permissions, not to the initial role used for assuming the
+    #     target role.
+    #
     # @return [Types::UpdatePodIdentityAssociationResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::UpdatePodIdentityAssociationResponse#association #association} => Types::PodIdentityAssociation
@@ -6309,6 +6351,7 @@ module Aws::EKS
     #     client_request_token: "String",
     #     disable_session_tags: false,
     #     target_role_arn: "String",
+    #     policy: "String",
     #   })
     #
     # @example Response structure
@@ -6327,6 +6370,7 @@ module Aws::EKS
     #   resp.association.disable_session_tags #=> Boolean
     #   resp.association.target_role_arn #=> String
     #   resp.association.external_id #=> String
+    #   resp.association.policy #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/eks-2017-11-01/UpdatePodIdentityAssociation AWS API Documentation
     #
@@ -6355,7 +6399,7 @@ module Aws::EKS
         tracer: tracer
       )
       context[:gem_name] = 'aws-sdk-eks'
-      context[:gem_version] = '1.158.0'
+      context[:gem_version] = '1.159.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-eks/client_api.rb

@@ -854,6 +854,7 @@ module Aws::EKS
     CreatePodIdentityAssociationRequest.add_member(:tags, Shapes::ShapeRef.new(shape: TagMap, location_name: "tags"))
     CreatePodIdentityAssociationRequest.add_member(:disable_session_tags, Shapes::ShapeRef.new(shape: BoxedBoolean, location_name: "disableSessionTags"))
     CreatePodIdentityAssociationRequest.add_member(:target_role_arn, Shapes::ShapeRef.new(shape: String, location_name: "targetRoleArn"))
+    CreatePodIdentityAssociationRequest.add_member(:policy, Shapes::ShapeRef.new(shape: String, location_name: "policy"))
     CreatePodIdentityAssociationRequest.struct_class = Types::CreatePodIdentityAssociationRequest
 
     CreatePodIdentityAssociationResponse.add_member(:association, Shapes::ShapeRef.new(shape: PodIdentityAssociation, location_name: "association"))
@@ -1506,6 +1507,7 @@ module Aws::EKS
     PodIdentityAssociation.add_member(:disable_session_tags, Shapes::ShapeRef.new(shape: BoxedBoolean, location_name: "disableSessionTags"))
     PodIdentityAssociation.add_member(:target_role_arn, Shapes::ShapeRef.new(shape: String, location_name: "targetRoleArn"))
     PodIdentityAssociation.add_member(:external_id, Shapes::ShapeRef.new(shape: String, location_name: "externalId"))
+    PodIdentityAssociation.add_member(:policy, Shapes::ShapeRef.new(shape: String, location_name: "policy"))
     PodIdentityAssociation.struct_class = Types::PodIdentityAssociation
 
     PodIdentityAssociationSummaries.member = Shapes::ShapeRef.new(shape: PodIdentityAssociationSummary)
@@ -1766,6 +1768,7 @@ module Aws::EKS
     UpdatePodIdentityAssociationRequest.add_member(:client_request_token, Shapes::ShapeRef.new(shape: String, location_name: "clientRequestToken", metadata: {"idempotencyToken" => true}))
     UpdatePodIdentityAssociationRequest.add_member(:disable_session_tags, Shapes::ShapeRef.new(shape: BoxedBoolean, location_name: "disableSessionTags"))
     UpdatePodIdentityAssociationRequest.add_member(:target_role_arn, Shapes::ShapeRef.new(shape: String, location_name: "targetRoleArn"))
+    UpdatePodIdentityAssociationRequest.add_member(:policy, Shapes::ShapeRef.new(shape: String, location_name: "policy"))
     UpdatePodIdentityAssociationRequest.struct_class = Types::UpdatePodIdentityAssociationRequest
 
     UpdatePodIdentityAssociationResponse.add_member(:association, Shapes::ShapeRef.new(shape: PodIdentityAssociation, location_name: "association"))

data/lib/aws-sdk-eks/types.rb

@@ -2945,6 +2945,26 @@ module Aws::EKS
     #   like S3 buckets in the target account.
     #   @return [String]
     #
+    # @!attribute [rw] policy
+    #   An optional IAM policy in JSON format (as an escaped string) that
+    #   applies additional restrictions to this pod identity association
+    #   beyond the IAM policies attached to the IAM role. This policy is
+    #   applied as the intersection of the role's policies and this policy,
+    #   allowing you to reduce the permissions that applications in the pods
+    #   can use. Use this policy to enforce least privilege access while
+    #   still leveraging a shared IAM role across multiple applications.
+    #
+    #   **Important considerations**
+    #
+    #   * **Session tags:** When using this policy, `disableSessionTags`
+    #     must be set to `true`.
+    #
+    #   * **Target role permissions:** If you specify both a `TargetRoleArn`
+    #     and a policy, the policy restrictions apply only to the target
+    #     role's permissions, not to the initial role used for assuming the
+    #     target role.
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/eks-2017-11-01/CreatePodIdentityAssociationRequest AWS API Documentation
     #
     class CreatePodIdentityAssociationRequest < Struct.new(
@@ -2955,7 +2975,8 @@ module Aws::EKS
       :client_request_token,
       :tags,
       :disable_session_tags,
-      :target_role_arn)
+      :target_role_arn,
+      :policy)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -6745,6 +6766,16 @@ module Aws::EKS
     #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html
     #   @return [String]
     #
+    # @!attribute [rw] policy
+    #   An optional IAM policy in JSON format (as an escaped string) that
+    #   applies additional restrictions to this pod identity association
+    #   beyond the IAM policies attached to the IAM role. This policy is
+    #   applied as the intersection of the role's policies and this policy,
+    #   allowing you to reduce the permissions that applications in the pods
+    #   can use. Use this policy to enforce least privilege access while
+    #   still leveraging a shared IAM role across multiple applications.
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/eks-2017-11-01/PodIdentityAssociation AWS API Documentation
     #
     class PodIdentityAssociation < Struct.new(
@@ -6760,7 +6791,8 @@ module Aws::EKS
       :owner_arn,
       :disable_session_tags,
       :target_role_arn,
-      :external_id)
+      :external_id,
+      :policy)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -8379,6 +8411,26 @@ module Aws::EKS
     #   like S3 buckets in the target account.
     #   @return [String]
     #
+    # @!attribute [rw] policy
+    #   An optional IAM policy in JSON format (as an escaped string) that
+    #   applies additional restrictions to this pod identity association
+    #   beyond the IAM policies attached to the IAM role. This policy is
+    #   applied as the intersection of the role's policies and this policy,
+    #   allowing you to reduce the permissions that applications in the pods
+    #   can use. Use this policy to enforce least privilege access while
+    #   still leveraging a shared IAM role across multiple applications.
+    #
+    #   **Important considerations**
+    #
+    #   * **Session tags:** When using this policy, `disableSessionTags`
+    #     must be set to `true`.
+    #
+    #   * **Target role permissions:** If you specify both a `TargetRoleArn`
+    #     and a policy, the policy restrictions apply only to the target
+    #     role's permissions, not to the initial role used for assuming the
+    #     target role.
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/eks-2017-11-01/UpdatePodIdentityAssociationRequest AWS API Documentation
     #
     class UpdatePodIdentityAssociationRequest < Struct.new(
@@ -8387,7 +8439,8 @@ module Aws::EKS
       :role_arn,
       :client_request_token,
       :disable_session_tags,
-      :target_role_arn)
+      :target_role_arn,
+      :policy)
       SENSITIVE = []
       include Aws::Structure
     end

data/lib/aws-sdk-eks.rb

@@ -55,7 +55,7 @@ module Aws::EKS
   autoload :EndpointProvider, 'aws-sdk-eks/endpoint_provider'
   autoload :Endpoints, 'aws-sdk-eks/endpoints'
 
-  GEM_VERSION = '1.158.0'
+  GEM_VERSION = '1.159.0'
 
 end
 

data/sig/client.rbs

@@ -423,7 +423,8 @@ module Aws
                                              ?client_request_token: ::String,
                                              ?tags: Hash[::String, ::String],
                                              ?disable_session_tags: bool,
-                                             ?target_role_arn: ::String
+                                             ?target_role_arn: ::String,
+                                             ?policy: ::String
                                            ) -> _CreatePodIdentityAssociationResponseSuccess
                                          | (Hash[Symbol, untyped] params, ?Hash[Symbol, untyped] options) -> _CreatePodIdentityAssociationResponseSuccess
 
@@ -1237,7 +1238,8 @@ module Aws
                                              ?role_arn: ::String,
                                              ?client_request_token: ::String,
                                              ?disable_session_tags: bool,
-                                             ?target_role_arn: ::String
+                                             ?target_role_arn: ::String,
+                                             ?policy: ::String
                                            ) -> _UpdatePodIdentityAssociationResponseSuccess
                                          | (Hash[Symbol, untyped] params, ?Hash[Symbol, untyped] options) -> _UpdatePodIdentityAssociationResponseSuccess
 

data/sig/types.rbs

@@ -569,6 +569,7 @@ module Aws::EKS
       attr_accessor tags: ::Hash[::String, ::String]
       attr_accessor disable_session_tags: bool
       attr_accessor target_role_arn: ::String
+      attr_accessor policy: ::String
       SENSITIVE: []
     end
 
@@ -1432,6 +1433,7 @@ module Aws::EKS
       attr_accessor disable_session_tags: bool
       attr_accessor target_role_arn: ::String
       attr_accessor external_id: ::String
+      attr_accessor policy: ::String
       SENSITIVE: []
     end
 
@@ -1773,6 +1775,7 @@ module Aws::EKS
       attr_accessor client_request_token: ::String
       attr_accessor disable_session_tags: bool
       attr_accessor target_role_arn: ::String
+      attr_accessor policy: ::String
       SENSITIVE: []
     end
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: aws-sdk-eks
 version: !ruby/object:Gem::Version
-  version: 1.158.0
+  version: 1.159.0
 platform: ruby
 authors:
 - Amazon Web Services